Systems and methods for a multi-tiered fraud alert review

ABSTRACT

Embodiments of systems and methods for fraud review are disclosed. The systems may include multi-tiered computing systems which may receive fraud alerts from multiple sources. A computing system in a tier may receive a fraud alert and use one or more fraud risk metrics to determine whether the fraud alert should be escalated. If the computing system determines that the fraud alert should be escalated, the computing system may transmit an escalation message to a higher tier computing system. If the computing system determines that the fraud alert should not be escalated, the computing system may transmit a message to a fraud prevention computing system. In some embodiments, the computing system may determine that the fraud alert is a false positive and transmit a false positive message to the source of the fraud alert such as a lower tier computing system.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation application of U.S. patentapplication Ser. No. 15/840,957, filed Dec. 13, 2017, which claimspriority to U.S. Provisional Patent Application Ser. No. 62/433,666,filed on Dec. 13, 2016, which is hereby incorporated by reference in itsentirety.

TECHNICAL FIELD

This application relates generally to computer systems and computerimplemented methods for automatically reviewing and vetting fraud alertsin computer implemented transactions.

BACKGROUND

Fraudulent activities have been a huge problem in computer implementedtransactions. For instance, a third party may steal authenticationcredentials of a legitimate client and make an unauthorized gain. Acustomer may also misrepresent one or more facts when providinginformation, e.g. by filling out online forms, to get an unfairadvantage. Furthermore, employees of an organization may collude withcustomers or third parties for illegitimate gains. Computer systemsimplemented to make monetary transactions efficient and fastnevertheless allow fraudulent activities to be efficient and fast aswell.

Conventional fraud prevention systems rely excessively on humanintervention. For example, one or more computers may flag a potentiallyfraudulent activity in a monetary transaction and may prompt personnelfrom a fraud prevention department to review the flagged activity. Thepersonnel involved may have to undertake actions such as calling thecustomer to confirm if he/she intended the transaction and/or callinglaw enforcement to report a potential fraudulent activity. Having peopledealing with potential frauds in a case by case basis is highlyinefficient, subjective, and expensive. For example, it is a cumbersomeprocess when a person is reviewing a potential fraud—the person has tomanually review various disparate information pieces and communicatewith the customer and/or other entities to make a final determination.Furthermore, the evaluation may be subjective based on the competenceand diligence of the person reviewing the fraud. For example, thereviewing person may fail to analyze a crucial piece of data. Also, inthis era of global transactions, a fraud prevention center has to bemanned 24 hours a day and seven days a week with a large amount ofstaff, which may be very expensive to an organization hosting orfacilitating computer implemented transactions.

SUMMARY

What is therefore needed is an automated and intelligent fraudreviewing, vetting, and prevention system with minimal humanintervention. What is also needed is a hierarchically configuredcomputing systems that may receive fraud alerts and/or flags fromdiverse sources and automatically determine whether to escalate thefraud alerts and/or flags to varying degree of automatic investigativeprocesses. What is further needed is a centralized computer system thatmay receive data and flags from diverse set of sources to automaticallygenerate a comprehensive database to help fraud prevention.

In an embodiment, computer-implemented method comprises receiving, by afirst level computing system, a first level fraud alert notificationmessage from a webserver; retrieving, by the first level computingsystem, one or more data records associated with the first level fraudalert notification message and one or more data records of first levelfraud risk metrics from a first level risk database; determining, by thefirst level computing system, a first level fraud risk score based uponthe one or more data records associated with the first level fraud alertnotification message and the one or more data records of the first levelfraud metrics; upon determining by the first level computing system thatthe first level fraud risk score exceeds a first level fraud threshold:generating, by the first level computing system, a second level fraudalert notification message, wherein the second level fraud alertnotification message includes one or more data fields indicating anescalation of the first level fraud alert notification message;transmitting, by the first level computing system, the second levelfraud alert notification message to a second level computing system,wherein the second level computing system is at a higher tier than thefirst level computing system; transmitting, by the first level computingsystem, a stop execution message to the webserver, wherein the stopexecution message instructs the webserver to stop executing computeroperations associated with the first level fraud alert notificationmessage; and upon determining by the first level computing system thatthe first level fraud risk score is below the first level fraudthreshold: transmitting, by the first level computing system, a continueexecution message to the webserver, wherein the continue executionmessage instructs the webserver to continue executing computeroperations associated with the first level fraud alert notificationmessage.

In another embodiment, a system comprises a first level risk database; afirst level computing system configured to: receive a first level fraudalert notification message from a webserver; retrieve one or more datarecords associated with the first level fraud alert notification messageand one or more data records of first level fraud risk metrics from thefirst level risk database; determine a first level fraud risk scorebased upon the one or more data records associated with the first levelfraud alert notification message and the one or more data records of thefirst level fraud metrics; upon determining that the first level fraudrisk score exceeds a first level fraud threshold: generate a secondlevel fraud alert notification message, wherein the second level fraudalert notification message includes one or more data fields indicatingan escalation of the first level fraud alert notification message;transmit the second level fraud alert notification message to a secondlevel computing system, wherein the second level computing system is ata higher tier than the first level computing system; transmit a stopexecution message to the webserver, wherein the stop execution messageinstructs the webserver to stop executing computer operations associatedwith the first level fraud alert notification message; and upondetermining that the first level fraud risk score is below the firstlevel fraud threshold: transmit a continue execution message to thewebserver, wherein the continue execution message instructs thewebserver to continue executing computer operations associated with thefirst level fraud alert notification message.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings constitute a part of this specification andillustrate embodiments of the subject matter disclosed herein.

FIG. 1 shows an exemplary system, according to an exemplary embodiment.

FIG. 2 shows an exemplary method, according to an exemplary embodiment.

DETAILED DESCRIPTION

Reference will now be made to the illustrative embodiments illustratedin the drawings, and specific language will be used here to describe thesame. It will nevertheless be understood that no limitation of the scopeof the claims or this disclosure is thereby intended. Alterations andfurther modifications of the inventive features illustrated herein, andadditional applications of the principles of the subject matterillustrated herein, which would occur to one skilled in the relevant artand having possession of this disclosure, are to be considered withinthe scope of the subject matter disclosed herein. The present disclosureis here described in detail with reference to embodiments illustrated inthe drawings, which form a part here. Other embodiments may be usedand/or other changes may be made without departing from the spirit orscope of the present disclosure. The illustrative embodiments describedin the detailed description are not meant to be limiting of the subjectmatter presented here.

A fraud may be any deliberate deception committed against or by anelectronic transaction hosting company, an agent of the company, or aconsumer for the purpose of unjustified financial gain. Frauds may occurduring the process of buying, using, and/or selling, one or moreproducts or services. Some non-limiting examples of fraud may be:intentionally failing to disclose significant medical conditions orother material facts on an application, collecting disability benefitsafter returning to work, a representative who bills a client personallywithout delivering a good or service, health care providers who billtwice for the same service or for services not provided, a physician whoassists a claimant by certifying an unfounded disability claim, andtaking an unauthorized loan based on a deceptive application. Otherfrauds may involve a third party stealing a customer's credentials toreceive goods and services intended for the customer.

Embodiments herein provide an automated and hierarchical fraud detectingand reviewing systems and methods. The embodiments implementmulti-tiered computing systems which may receive fraud alerts frommultiple and diverse sources and may determine if a received fraud alerthas to be escalated for a more complex analysis. The multiple anddiverse sources may include call-center computers, computer systemsassociated with the service ambassadors, quality assurance servers,document management servers, claims servers, and/or treasury servers.Furthermore, each of the tiered computing system may be associated witha respective database or a shared database that allows the computingsystem to make the escalation determination.

An exemplary system may include computing systems arranged inhierarchical tiers. For example, the computing systems may be arrangedinto three tiers: a low risk tier, a medium risk tier, and the high risktier. The low risk tier computing systems may receive low risk fraudalerts from one or more fraud alert sources. The low risk fraud alertsmay include one or more suspicious activities which may not amount to ared flag for a potential fraud. The medium risk computing systems mayreceive flagged fraud alerts from one or more fraud alert sources. Theflagged fraud alerts may be generated by the fraud alert sources basedon known fraud red flags. The high risk computing systems may receivenotifications of fraud from one or more fraud alert sources. Thenotifications of fraud may be generated by the one or more fraud alertsources based upon determining that that there is a high likelihood offraudulent activities.

Each of the tiered computing systems may be associated with its owndatabase or a shared database that allows the respective computingsystem whether or not to escalate the alerts/notifications received fromthe one or more sources. Each of the databases, shared or otherwise, maycontain data records of electronic activity of a plurality of customersand agents, and the respective computing system may query the respectivedatabase to retrieve data records related to the received fraudalerts/notifications. Each of databases may further comprise datarecords of one or more metrics that the respective computing system mayuse to calculate a fraud score. Based on the calculated fraud score, therespective computing system may determine if an escalation message hasto be generated and sent to a higher tiered computing system. Forinstance, if the fraud score is above a threshold, then the respectivecomputing system may generate the escalation message. If however, thefraud score is below the threshold, the respective computing system maygenerate false positive message and transmit the false positive messageto the source of the fraud alert/notification.

For example, the low risk computing system may receive a notificationthat a customer requested an address change. The low risk computingsystem may query the associated database to retrieve data recordsrelated to the customer and relevant to the received notification.Furthermore, the low risk computing system may query the associateddatabase to retrieve one or more fraud risk metrics. Applying the one ormore fraud risk metrics to the retrieved data records, the lowest riskcomputing system may calculate a low risk fraud score. Based on thecalculated low risk fraud score, the lowest risk computing system maygenerate an escalation message for the medium risk computing system. Forinstance, if the customer indicated he/she was renting, change ofaddress may pose a lower risk versus if the customer indicated he/sheowned the property at the address.

The medium risk computing system may receive alerts from one or morefraud sources and/or escalation message from the lowest risk computingsystem. The medium risk computing system may query the associateddatabase to retrieve data records associated with the alert and/or theescalation message. Furthermore, the medium risk computing system mayquery the associated database to retrieve one or more fraud riskmetrics. Applying the one or more fraud risk metrics the retrieved datarecords, the medium risk computing system may calculate a medium riskfraud score. If the medium risk fraud score is above a threshold, themedium risk computing system may generate a high-risk escalation messageto be sent to the high risk computing system. If the medium risk fraudscore is below the threshold, the medium risk computing system maygenerate a false positive message to be sent back to the low riskcomputer system. Continuing with the above example, if the customerchanging the address was above the age of 60 years old, and not being adigital native, did not often use online tools, but rather made calls orwrote letters for any change of information—and the request for thechange of address came online, then the medium risk computing system maygenerate a high-risk escalation message. However, if the customerchanging the address was a graduate student and the database recordsindicated that he/she graduated recently, then the medium risk computingsystem may generate a false positive message and may transmit the sameto the low-risk computing system.

The high risk computing system may receive a high risk fraud alerts fromone or more fraud alert sources and high-risk escalation messages fromthe medium risk computing system. The high risk computing system mayquery the associated database to retrieve data records associated withthe high risk alerts and/or the high-risk escalation messages.Furthermore, the high risk computing system may query the associateddatabase to retrieve one or more fraud risk metrics. Applying the one ormore fraud risk metrics the retrieved data records, the high riskcomputing system may calculate a high risk fraud score. If the high riskfraud score is above a threshold, the high-risk computing system maygenerate a fraud case file. Furthermore, the high-risk computer systemmay notify appropriate law enforcement authorities about a possiblefraud.

The databases associated with each of the low risk, medium risk, andhigh risk computing systems may be updated based on the activities ofthe computing systems. For example, the database associated with the lowrisk computing system may be populated with false positives such thatthe low risk computing system may resolve similar fraud alerts withoutnotifying the medium risk computing system. Each of the databases mayalso be updated periodically based upon the experts' assessment andanalysis. In other words, all of the computing systems may generate avirtuous cycle of continuous learning to automatically flag and assesspotential frauds.

FIG. 1 shows an exemplary system 100 for automatic fraud alert review,according to an exemplary embodiment. The system 100 may include fraudalert sources 101, a low risk server 106, a low risk database 108, amedium risk server 102, a medium risk database 105, a high risk server104, a high risk database 107, a network 109, and a fraud preventionserver 103. One or more networks 109 may connect one or more componentsof the system 100. Examples of the networks 109 include, but are notlimited to, Local Area Network (LAN), Wireless Local Area Network(WLAN), Metropolitan Area Network (MAN), Wide Area Network (WAN), andthe Internet. The communication over the networks 109 may be performedin accordance with various communication protocols, such as TransmissionControl Protocol and Internet Protocol (TCP/IP), User Datagram Protocol(UDP), and IEEE communication protocols.

The fraud alert sources 101 may comprise various computer systems thatmay generate and transmit fraud alerts messages to one or more of thelow risk server 106, the medium risk server 102, and the high riskserver 104. Non-limiting examples of the fraud alert sources 101 includecall-center computers, computer systems associated with the serviceambassadors, quality assurance servers, document management servers,claims servers, and treasury servers. In other words, the fraud alertsources 101 may be diverse types of computer systems and serversgathering diverse types of data. Each fraud alert source 101 may gatherdata records based on its own functionality. For example, a call centercomputer 101 a may gather data records of each incoming calls under thedata fields of: the time the call was received, duration of the call,requests made by the caller, issues raised by the caller, actions takenby an agent taking the call during the call, actions taken by the agentafter taking the call, and/or any other data field. As another example,a claims server 101 b may gather data records under the fields such asthe amount of a claim, the qualifying event for the claim, the durationof the policy before the claims was made, and prior claims records ofthe customer making the claim. Each of the fraud alert servers 101 mayaggregate data and store the data on one or more associated databases.

Each of the fraud alert sources 101 may implement one or more processesto generate a fraud alert. Continuing with the call-center computer 101a example, a processor in the call center computer 101 a may query theaggregated database records for particular words, word combinationsand/or phrases. The example word combinations that the processor mayquery for may include: “payor” and “change”, “beneficiary” and “change”,“owner” and “change”, “address” and “change”, and “loan” and “process”.Example words that the process may query for may include: “withdraw”,“disbursement”, and “alert”. Based on the query, the processor in thecall-center computer may generate a fraud alert. The fraud alert mayinclude customer information, insurance policy information, and/or otherinformation associated with a potential fraud situation. The fraud alertsources 101 may also generate suspicious activity notifications basedupon determining a low risk of fraud. In addition, the fraud alertsources 101 may generate a message of a probable fraud based upondetermining a high risk of fraud.

The low risk server 106 may receive one or more suspicious activitynotifications from the one or more fraud alert sources 101. The low riskserver 106 may comprise one or more processors that process instructionsstored in one or more non-transitory storage media or received fromother servers/computers. The low risk server 106 may include or may beassociated with a low risk database 108. In operation, the low riskserver 106 may query the low risk database 108 to retrieve one or moredata records associated with the suspicious activity notification. Forexample, if the suspicious activity notification is more than twopurchases by a customer within a day, the low risk 106 may retrieve oneor more data records containing the customer's purchase activity for thepast two years, for example. Furthermore, the low risk server 106 mayquery the low risk database 108 to retrieve one or more data records oflow fraud risk metrics. The low risk server 106 may determine a lowfraud risk score based on the one or more data records associated withthe suspicious activity and the one or more data records of low fraudrisk metrics. If the low risk server 106 determines that the low fraudrisk score is above a low fraud risk threshold, the low risk server 106may generate an escalation message and transmit the escalation messageto the medium risk server 102. If the low risk server 106 determinesthat the low fraud score is below the low fraud risk threshold, the lowfraud risk server 106 may generate false positive message and transmitthe false positive message to the source of the suspicious activitynotification.

The medium risk server 102 may receive fraud alert messages from fraudalert sources 101 or escalation messages from the low risk server 106.The fraud alert messages may be based upon known one or more known fraudflags. The medium risk server 102 may comprise one or more processorsconfigured to process instructions stored in one or more non-transitorystorage media or received from other servers/computers. The medium riskserver 102 may include or may be associated with a medium risk database105. In operation, the medium risk server 102 may query the medium riskdatabase 105 to retrieve one or more data records associated with thefraud alert messages or the escalation messages. For example, if anescalation message is about more than two purchases by a customer withina day and that the customer has not shown such behavior in the past twoyears, the medium risk server 102 may retrieve one or more data recordscontaining the customer's purchase activity for the past five years, forexample. Furthermore, the medium risk server 102 may query the mediumrisk database 105 to retrieve one or more data records of medium fraudrisk metrics. The medium risk server 102 may determine a medium fraudrisk score based on the one or more data records associated with theescalation message and the one or more data records of medium fraud riskmetrics. If the medium risk server 102 determines that the medium fraudrisk score is above a medium fraud risk threshold, the medium riskserver 102 may generate an escalation message and transmit theescalation message to the high risk server 104. If the medium riskserver 102 determines that the medium fraud score is below the mediumfraud risk threshold, the medium fraud risk server 102 may generatefalse positive message and transmit the false positive message to thelow risk server 106.

The high risk server 104 may receive messages of probable fraud from thefraud alert sources 101 or escalation messages from the medium riskserver 102. The fraud alert sources 101 may generate the messages ofprobable fraud based upon determining that there is a high likelihood offraud. The high risk server 104 may comprise one or more processorsconfigured to process instructions stored in one or more non-transitorystorage media or received from other servers/computers. The high riskserver 104 may include or may be associated with a high risk database107. In operation, the high risk server 104 may query the high riskdatabase 107 to retrieve one or more data records associated with themessages of probable fraud or the escalation messages. For example, ifan escalation message is about more than two purchases by a customerwithin a day and that the customer has not shown such behavior in thepast five years, the high risk server 104 may retrieve one or more datarecords containing purchase activity for the past five years of othercustomers living in the same geographical area as the customer, forexample. Furthermore, the high risk server 104 may query the high riskdatabase 107 to retrieve one or more data records of high fraud riskmetrics. The high risk server 104 may determine a high fraud risk scorebased upon the one or more data records associated with the escalationmessage and the one or more data records of high fraud risk metrics. Ifthe high risk server 104 determines that the high fraud risk score isabove a high fraud risk threshold, the high risk server 104 may generatea notification of high fraud risk to the fraud prevention server 103. Inaddition or in the alternative, the high risk server 104 may alsotransmit a message indicating a probability of a fraud to lawenforcement via one or more communication channels, for example, e-mail.If the high risk server 104 determines that the high fraud score isbelow the high fraud risk threshold, the high fraud risk server 104 maygenerate false positive message and transmit the false positive messageto the medium risk server 102.

The fraud prevention server 103 may receive one or more messages fromone or more of the high risk server 104, the medium risk server 102, andthe low risk server 106. For example, the fraud prevention server 103may receive a message of high fraud risk from the high risk server 104.The fraud prevention server 104 may notify the system administrator ofthe receipt of the message of high fraud risk. The fraud preventionserver may co-ordinate one or more functions of one or more of the highrisk server 104, the medium risk server 102, and the low risk server106. For example, the fraud prevention server 103 may provide periodicupdates to the one or more of the high risk database 107, the mediumrisk database 105, and the low risk database 108. Furthermore, the fraudprevention server may provide an interface for a system administrator toprovide update the one or more databases 107, 105, 108. The servers 104,102, 106 may receive the updates, for example, updates to the fraud riskmetrics, and update the respective databases 107, 105, 108 accordingly.

FIG. 2 shows an exemplary method 200 of automatic fraud alert review,according to an exemplary embodiment. The method may be implemented by aplurality of hierarchically arranged multiple computing systems. Howeverfor the sake of brevity, the following describes the steps of the method200 as being implemented by a single computing system.

In a first step 201, the computing system may receive a fraud alert oran escalation message (also referred to as a fraud alert notificationmessage). The fraud alert may be sent from one or more fraud alertsources, which may be diverse type of computer systems such ascall-center computers, computer systems associated with the serviceambassadors, quality assurance servers, document management servers,claims servers, and treasury servers. These computers systems maygenerate the fraud alerts based on known fraud red flags such asexcessive cash withdrawal, multiple purchases, and/or frequent changesof customer address. For example, a webserver may generate a fraud alertthat a customer has tried to enter an invalid password a number of timesabove a predetermined threshold number. The escalation message may befrom a lower tier computing system. The lower tier computing system mayreceive a fraud alert with a lower risk than the fraud alert received bythe currently referenced computing system and may determine based ondata records related to the lower risk fraud alert and one or more lowerrisk fraud metrics that the fraud alert should be escalated and generatethe escalation message.

In a next step 202, the computing system may retrieve data recordsrelated to the fraud alert or the escalation message. The computingsystem may query an associated database for the data records related tothe fraud alert or the escalation message. For example, if the fraudalert or the escalation message pertains to a customer, the computingsystem may query the data records of the customer and/or data records ofsimilarly situated customer such as customers in the similar age groupand similar income level. The data records of similarly situatedcustomers may be used for cross validation.

In a next step 203, the computing system may retrieve one or more fraudrisk metrics. The fraud risk metrics may be stored in one or moredatabases associated with the computing systems. In some embodiments,the fraud risks metrics may include one or more data records thatinclude information weigh different factors to make a compositedetermination. In other embodiments, the fraud risk metrics may includedata records containing information on likelihood of a fraud based onthe presence of one or more factors.

In a next step 204, the computing system may determine whether the fraudalert or the escalation message should be further escalated based uponthe retrieved data records and the fraud risk metrics. The computingsystem may apply the fraud risk metrics on the retrieved data records.In some embodiments, the computing system may determine a numeric valueof a probability of fraud for the fraud alert or the escalation message.If the numeric value of the probability of fraud is above a threshold,the computing system may further escalate fraud alert or the receivedescalation message to generate a further escalation message. The furtherescalation message may contain one or more data fields indicating thatthe received escalation has been further escalated. The computing systemmay transmit the further escalation message to a second computing systemwhich is of higher tier than the computing system. Furthermore, thecomputing system may transmit a stop execution message to the source(such as a webserver) of the fraud alert. The stop execution message mayinstruct the webserver to stop executing computer operations associatedwith the fraud alert. If the numeric value of the probability of fraudis below the threshold, the computing system may transmit a falsepositive message to the source of the fraud alert or the escalationmessage. In this scenario, the computing system may transmit a continueexecution message to the source (such as a webserver) of the fraudalert. The continue execution message may instruct the webserver tocontinue executing computer operations associated with the fraud alert.

The foregoing method descriptions and the process flow diagrams areprovided merely as illustrative examples and are not intended to requireor imply that the steps of the various embodiments must be performed inthe order presented. The steps in the foregoing embodiments may beperformed in any order. Words such as “then,” “next,” etc. are notintended to limit the order of the steps; these words are simply used toguide the reader through the description of the methods. Althoughprocess flow diagrams may describe the operations as a sequentialprocess, many of the operations can be performed in parallel orconcurrently. In addition, the order of the operations may bere-arranged. A process may correspond to a method, a function, aprocedure, a subroutine, a subprogram, and the like. When a processcorresponds to a function, the process termination may correspond to areturn of the function to a calling function or a main function.

The various illustrative logical blocks, modules, circuits, andalgorithm steps described in connection with the embodiments disclosedherein may be implemented as electronic hardware, computer software, orcombinations of both. To clearly illustrate this interchangeability ofhardware and software, various illustrative components, blocks, modules,circuits, and steps have been described above generally in terms oftheir functionality. Whether such functionality is implemented ashardware or software depends upon the particular application and designconstraints imposed on the overall system. Skilled artisans mayimplement the described functionality in varying ways for eachparticular application, but such implementation decisions should not beinterpreted as causing a departure from the scope of this disclosure orthe claims.

Embodiments implemented in computer software may be implemented insoftware, firmware, middleware, microcode, hardware descriptionlanguages, or any combination thereof. A code segment ormachine-executable instructions may represent a procedure, a function, asubprogram, a program, a routine, a subroutine, a module, a softwarepackage, a class, or any combination of instructions, data structures,or program statements. A code segment may be coupled to another codesegment or a hardware circuit by passing and/or receiving information,data, arguments, parameters, or memory contents. Information, arguments,parameters, data, etc. may be passed, forwarded, or transmitted via anysuitable means including memory sharing, message passing, token passing,network transmission, etc.

The actual software code or specialized control hardware used toimplement these systems and methods is not limiting of the claimedfeatures or this disclosure. Thus, the operation and behavior of thesystems and methods were described without reference to the specificsoftware code being understood that software and control hardware can bedesigned to implement the systems and methods based on the descriptionherein.

When implemented in software, the functions may be stored as one or moreinstructions or code on a non-transitory computer-readable orprocessor-readable storage medium. The steps of a method or algorithmdisclosed herein may be embodied in a processor-executable softwaremodule, which may reside on a computer-readable or processor-readablestorage medium. A non-transitory computer-readable or processor-readablemedia includes both computer storage media and tangible storage mediathat facilitate transfer of a computer program from one place toanother. A non-transitory processor-readable storage media may be anyavailable media that may be accessed by a computer. By way of example,and not limitation, such non-transitory processor-readable media maycomprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage,magnetic disk storage or other magnetic storage devices, or any othertangible storage medium that may be used to store desired program codein the form of instructions or data structures and that may be accessedby a computer or processor. Disk and disc, as used herein, includecompact disc (CD), laser disc, optical disc, digital versatile disc(DVD), floppy disk, and Blu-ray disc where disks usually reproduce datamagnetically, while discs reproduce data optically with lasers.Combinations of the above should also be included within the scope ofcomputer-readable media. Additionally, the operations of a method oralgorithm may reside as one or any combination or set of codes and/orinstructions on a non-transitory processor-readable medium and/orcomputer-readable medium, which may be incorporated into a computerprogram product.

The preceding description of the disclosed embodiments is provided toenable any person skilled in the art to make or use the embodimentsdescribed herein and variations thereof. Various modifications to theseembodiments will be readily apparent to those skilled in the art, andthe generic principles defined herein may be applied to otherembodiments without departing from the spirit or scope of the subjectmatter disclosed herein. Thus, the present disclosure is not intended tobe limited to the embodiments shown herein but is to be accorded thewidest scope consistent with the following claims and the principles andnovel features disclosed herein.

While various aspects and embodiments have been disclosed, other aspectsand embodiments are contemplated. The various aspects and embodimentsdisclosed are for purposes of illustration and are not intended to belimiting, with the true scope and spirit being indicated by thefollowing claims.

What is claimed is:
 1. A computer-implemented method comprising:receiving, by a first level computing system, a first level fraud alertnotification message from a webserver; retrieving, by the first levelcomputing system, one or more data records associated with the firstlevel fraud alert notification message and one or more data records offirst level fraud risk metrics from a first level risk database;determining, by the first level computing system, a first level fraudrisk score based upon the one or more data records associated with thefirst level fraud alert notification message and the one or more datarecords of the first level fraud risk metrics; upon determining by thefirst level computing system that the first level fraud risk scoreexceeds a first level fraud threshold: generating, by the first levelcomputing system, a second level fraud alert notification message,wherein the second level fraud alert notification message comprises oneor more data fields indicating an escalation of the first level fraudalert notification message; and transmitting, by the first levelcomputing system, the second level fraud alert notification message to asecond level computing system, wherein the second level computing systemis at a higher tier than the first level computing system.
 2. Thecomputer-implemented method of claim 1, further comprising: upondetermining by the first level computing system that the first levelfraud risk score is below the first level fraud threshold, transmitting,by the first level computing system, a continue execution message to thewebserver, wherein the continue execution message instructs thewebserver to continue executing computer operations associated with thefirst level fraud alert notification message.
 3. Thecomputer-implemented method of claim 2, further comprising: receiving,by the second level computing system, the second level fraud alertnotification message; retrieving, by the second level computing system,data records associated with the second level fraud alert notificationmessage and one or more data records of second level fraud risk metrics;determining, by the second level computing system, a second level fraudrisk score based upon the one or more data records associated with thesecond level fraud alert notification message and the one or more datarecords of the second level fraud risk metrics; generating, by thesecond level computing system, a fourth level fraud alert notificationmessage in response to determining that the second level fraud riskscore exceeds a second level fraud threshold; and transmitting, by thesecond level computing system, the fourth level fraud alert notificationmessage to a fourth level computing system.
 4. The computer-implementedmethod of claim 3, wherein the fourth level computing system is at ahigher tier than the second level computing system.
 5. Thecomputer-implemented method of claim 3, further comprising: generating,by the second level computing system, a second level false positivenotification message in response to determining that the second levelfraud risk score is below the second level fraud threshold; andtransmitting, by the second level computing system, the second levelfalse positive notification message to the first level computing system.6. The computer-implemented method of claim 3, further comprising:transmitting, by the second level computing system, a notificationmessage to one or more law enforcement computer systems in response todetermining that the second level fraud risk score is above the secondlevel fraud threshold.
 7. The computer-implemented method of claim 3,wherein the first level, second level, third level, and fourth levelcomputing systems are associated with a common database.
 8. Thecomputer-implemented method of claim 3, further comprising: receiving,by the second level computing system, one or more manual updates to thesecond level fraud risk metrics; and updating, by the second levelcomputing system, the second level fraud risk metrics based upon the oneor more manual updates.
 9. The computer-implemented method of claim 1,further comprising: receiving, by the first level computing system, oneor more manual updates to the first level fraud risk metrics; andupdating, by the first level computing system, the first level fraudrisk metrics based upon the one or more manual updates.
 10. Thecomputer-implemented method of claim 1, further comprising: receiving,by the first level computing system, one or more automated updates tothe first level fraud risk metrics from a fraud prevention server; andupdating, by the first level computing system, the first level fraudrisk metrics based upon the one or more automated updates.
 11. Acomputer system comprising: a first level computing system, comprising afirst memory and a first processor executing first instructions storedin the first memory, in communication with a second level computingsystem, comprising a second memory and a second processor executingsecond instructions stored in the second memory, wherein the first levelcomputing system is configured to: receive a first level fraud alertnotification message from a webserver; retrieve one or more data recordsassociated with the first level fraud alert notification message and oneor more data records of first level fraud risk metrics from a firstlevel risk database; determine a first level fraud risk score based uponthe one or more data records associated with the first level fraud alertnotification message and the one or more data records of the first levelfraud risk metrics; upon determining by the first level computing systemthat the first level fraud risk score exceeds a first level fraudthreshold: generate a second level fraud alert notification message,wherein the second level fraud alert notification message comprises oneor more data fields indicating an escalation of the first level fraudalert notification message; and transmit the second level fraud alertnotification message to the second level computing system, wherein thesecond level computing system is at a higher tier than the first levelcomputing system.
 12. The computer system of claim 11, wherein the firstlevel computing system is configured to: upon determining by the firstlevel computing system that the first level fraud risk score is belowthe first level fraud threshold, transmit a continue execution messageto the webserver, wherein the continue execution message instructs thewebserver to continue executing computer operations associated with thefirst level fraud alert notification message.
 13. The computer system ofclaim 12, wherein the second level computing system is configured to:receive the second level fraud alert notification message; retrieve datarecords associated with the second level fraud alert notificationmessage and one or more data records of second level fraud risk metrics;determine a second level fraud risk score based upon the one or moredata records associated with the second level fraud alert notificationmessage and the one or more data records of the second level fraud riskmetrics; generate a fourth level fraud alert notification message inresponse to determining that the second level fraud risk score exceeds asecond level fraud threshold; and transmit the fourth level fraud alertnotification message to a fourth level computing system.
 14. Thecomputer system of claim 13, wherein the fourth level computing systemis at a higher tier than the second level computing system.
 15. Thecomputer system of claim 13, wherein the second level computing systemis further configured to: generate a second level false positivenotification message in response to determining that the second levelfraud risk score is below the second level fraud threshold; and transmitthe second level false positive notification message to the first levelcomputing system.
 16. The computer system of claim 13, wherein thesecond level computing system is further configured to: transmit anotification message to one or more law enforcement computer systems inresponse to determining that the second level fraud risk score is abovethe second level fraud threshold.
 17. The computer system of claim 13,wherein the first level, second level, third level, and fourth levelcomputing systems are associated with a common database.
 18. Thecomputer system of claim 13, wherein the second level computing systemis further configured to: receive one or more manual updates to thesecond level fraud risk metrics; and update the second level fraud riskmetrics based upon the one or more manual updates.
 19. The computersystem of claim 11, wherein the first level computing system is furtherconfigured to: receive one or more manual updates to the first levelfraud risk metrics; and update the first level fraud risk metrics basedupon the one or more manual updates.
 20. The computer system of claim11, wherein the first level computing system is configured to: receiveone or more automated updates to the first level fraud risk metrics froma fraud prevention server; and update the first level fraud risk metricsbased upon the one or more automated updates.